Krebs on Security

In-depth security news and investigation

Zero-Day Fixes From Adobe, Microsoft

Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing at least two dozen flaws in Windows and other software.

Five of today’s 11 update bundles earned Microsoft’s “critical” rating, meaning that the vulnerabilities those patches fix can be exploited remotely by malware or miscreants without any help from users. At the top of the priority list for Windows users should be MS13-096, a patch that plugs a critical zero-day security hole in certain versions of Windows and Office. Microsoft first warned about this flaw on Nov. 5.

Microsoft also is urging customers and system administrators to prioritize two other critical fixes: MS13-097, a cumulative patch for Internet Explorer (all versions), and MS13-099, which fixes a dangerous scripting issue in Windows. All three of these patches fix bugs that Microsoft says are likely to be exploited by attackers in the near future.

Ross Barrett, senior manager of security engineering at Rapid7, points out a noteworthy patch (MS13-104) for users of Microsoft Office 2013’s “cloud” services, which apparently fixes another vulnerability that is actively being exploited. “This information disclosure issue affects the Office ‘client’ and could allow an attacker to hijack an authentication token and gain access to documents stored in cloud resources,” Barrett said.

Adobe has issued a patch for its Flash Player software that addresses at least two security holes, including a vulnerability that is already under active attack. Adobe said it is aware of reports of an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content. The company credits researcher Attila Suszter for reporting the flaw; more information about this bug is available at Suszter’s blog.

To find out whether your system has Flash installed and at what version, check this page. Updates are available for Windows, Mac and Linux versions of Flash. The latest version for Windows and Mac users is 11.9.900.170, and 11.2.202.332 for Linux.

Google Chrome auto-updates its own versions of Flash (although not always right away); the newest Flash for Chrome is 11.9.900.170. Internet Explorer 10 and 11 on Windows 8 include an embedded version of Flash that gets updates from Windows Update, rather than through Adobe’s installer. On Windows 7 and earlier, Flash is not embedded, and needs ot be updated via Adobe’s updater or manually by downloading the appropriate version from this page.

In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 3.9.1380 for Windows, Mac and Android devices. Adobe AIR checks for and prompts you to install any available updates anytime you launch an application that uses AIR; in any case, the download link is here.

Adobe also issued an update for its Shockwave Player software that fixes at least two vulnerabilities, bringing Shockwave to v. 12.0.7.148 on Windows and Mac systems. Shockwave is one of those programs that I’ve urged readers to remove or avoid installing. Like Java, it is very often buggy software that many people have installed but do not really need for everyday Web browsing. Securing your system means not only making sure things are locked down, but removing unneeded programs, and Shockwave is near the top of my list on that front.

If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. If it prompts you to download Shockwave, then you don’t have Shockwave installed and in all likelihood don’t need it. Firefox users should note that the presence of the Shockwave Flash plugin listed in the Firefox Add-ons section denotes an installation of Adobe Flash Player plugin — not Adobe Shockwave.

This entry was posted on Tuesday, December 10th, 2013 at 3:27 pm and is filed under Latest Warnings, Time to Patch.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Thank you once again, Brian, for your consistently impeccable and incredibly useful notifications of the monthly ​update lunacy — your vigilance on security issues and helpfulness of the included links are tops!

If your blog’s comment section had thumbs up buttons, notes of thanks would be your highest rated comments.

Adobe Flash automatic updates are useless. A month after the previous (November) Flash version became available, that version still had not been installed on two Windows 7 systems. Actually, IE ensured that the activeX version was updated but that leaves those who use the plugin version vulnerable.

I have noticed the same difficulty. What’s more, this also occurred in October and November. The first time it happened caused me considerable problems as the complete lockup of my main machine (automatic updates was enabled and an instance of svchost.exe was consuming 99% of processor time) made me jump to the conclusion that there was a system problem in that first system I attempted to update. The system behaviour was completely unexpected.

Windows Update for XP always used to work so what is M$ playing at? Automatic updates were always sluggish but now leaving automatic update enabled causes XP systems to effectively become unusable after 1800 UTC on Patch Tuesday.

I conclude that either M$ is causing XP to be a low update priority or that it has engineered some ‘modification’ of the update mechanism in an attempt to encourage XP users to migrate to later OSs.

I don’t know what else to conclude is going on. Updates were straightforward up to and including September 2013.

I have resorted to manual updates and take a very dim view of these apparent developments.

I had the same interminable “checking for updates” on one XP desktop as well, but since I had set the automatic update function to notify (but not download) I was able to click that system tray icon, bring up the list of available updates and get that machine to process all of them successfully.

This morning there was a security notice from MS with an updated TechNet posting which might point toward the culprit — the FixIt patch (51004) which was made available in response to the zero-day threat a few weeks ago needs to be removed by applying the appropriate patch (51005). I had downloaded both to a thumb drive, so disabling the earlier temporary workaround was straightforward, but others may have simply applied the initial patch online and not bothered to download the disabling patch.

If you applied the first enabling patch and now need to apply the disabling patch but don’t have it handy, here’s the relevant link:

Hello Brian . I have a problem with the link .If you visit this link and see a short animation, it should tell you which version of Shockwave you have installed. http://www.adobe.com/shockwave/welcome/

​”It isn’t a new bug, but it’s a killer, and this month’s round of Automatic Updates has brought it back with a vengeance. Freshly installed Windows XP SP3 machines running Windows Update — typically because Automatic Update is turned on — will stall twice. First, when Windows Update accesses the Microsoft website to gather a list of available updates, the machine can lock up for five, 10, 15 minutes — or more — with the CPU and fan running at 100 percent. Then, if the customer waits long enough for the updates to appear, and clicks to install them, the XP machine goes racing away again for five or 10 or more minutes, with the CPU redlined at 100 percent….
…
Will Microsoft go in and fix wuauclt.exe — or, better, fix whatever is broken in its back-end processing — before Windows XP turns belly up next year? I wouldn’t bet on it.”​

​I wondered what on Earth this SVCHOST process was doing — it consumed 30+ minutes of CPU time before it calmed down!

I fear it will go through that again after a reboot. ​I have turned checking for updates entirely off and will wait a day or two more to see if Microsoft does anything to resolve this.

I just finished finally resolving the latest ridiculous SVCHOST.EXE goes crazy 100% CPU for 10 to 30 minutes while defective wuauclt.exe tries to figure out what updates are needed, EFFECTIVELY BREAKING THE UPDATER’s ABILITY TO UPDATE ITSELF.

In the interim, you have to TURN OFF Automatic Updates completely, as this foolishness repeats itself whenever you reboot the PC.

Wikipedia says 31% of PC users are still on XP… and Microsoft was too stupid to even include a Start button on Windows 8?

​Sheesh! Bill Gates became the richest man on Earth taking money from everyone who bought this crap, and now I should give him even more to get a new OS? I don’t think so. If I had the money, I’d jump ship in a minute to go to a Mac; instead, I’m probably going to be one of those XP users figuring out Linux soon.

“I’m probably going to be one of those XP users figuring out Linux soon. ”

Though I would encourage anyone to try a flavor of Linux (Go for Mint or Fedora, and use either with Cinnamon interface) and I’m pretty close to going entirely Linux myself (if it weren’t for a few things I still need Windows for): updates on Linux aren’t any less problem prone!

Adobe management has provided revenue guidance of $975 million and EPS guidance of 26 cents respectively for the next quarter, lower than consensus estimates for revenues and EPS which are $1.02 billion and 34 cents respectively. bit.ly/AdobeAnalysts

Why is is that the Windows OS is a constant security risk with 0 day exploits being released every day and patches being released every month? Why hasn’t Brian asked is users to UNINSTALL WINDOWS UNLESS YOU ABSOLUTELY NEED IT or move to a more secure OS like Linux or OSX? He has no problem turning criticizing Java, but when it comes to Windows it somehow gets a free pass.

Java has actually been buttoned down rather securely by Oracle. Windows, however, is still the constant security, virus and malware nightmare it will always be.

I would posit the following three reasons why Brian might not follow or agree with your advice (but will certainly expect him to counter and offer his own reasoning if warranted):

1) The installed base for Windows is very large, widespread across both vertical and horizontal markets globally and encompasses users from complete novice to deeply experienced, while OSX and Linux (and now Android) have a far smaller and highly selective set of users or adherents in a much more narrow penetration among select geographic markets. This is changing rapidly with the shift from desktop/laptop hardware to tablet/smartphone hardware though, at least for individuals and more slowly for businesses and institutions.

2) Wholesale conversion on a voluntary basis from Windows to some other OS wouldn’t be realistic or feasible for most individual users who fall into the less-than-expert category, and for any business whose application(s) function reliably on Windows code (or MS apps largely designed for Windows code) and have become substantial revenue generators or critical elements of their strategic business activity, the cost of conversion (both acquisition in achieving a reliable substitute and time for staff implementation and retraining) to achieve comparable functioning is such a significant barrier most can’t justify or won’t entertain the notion. After all, there are still COBOL systems in use out there in the real world of institutional computing some 40+ years after that language became obsolete.

3) As market share of OSX, Android or Linux rises and increasingly evolves to represent a worthwhile supply of users for miscreants to exploit by comparison with the huge legacy market Microsoft has captured with Windows (and Sun/Oracle with Java), those same and new miscreants will devote more effort and attention towards finding zero-day exploits to provide the benefits of hacking they desire (whether financial gain or merely kudos among blackhat peers). For years, Mac users tended to gloat in the lack of malware or OS badness by comparison with Windows, but that’s no longer the case — that transition seems to be occurring even more rapidly with Android.

Finally, the fact that Windows has such a large market share and installed base means that Microsoft MUST for strategic business reasons ensure retention of substantial compatibility in new OS versions with legacy applications and functions for some significant period after each release, which the firm tries to minimize by its public specification of end-date termination of support to encourage (ever more forcibly as the date approaches) the migration of users to a newer OS version — but it’s those legacy compatibilities which frequently continue to provide avenues of exploitation in the newer versions, so there’s an implicit conundrum because with any zero-day exploit, MS has an intrinsic requirement not to provide a flawed patch which is insufficiently tested that might seriously break the functionality of systems upon which its business users rely.